Policies specify the information security intentions of the university’s senior leadership, grant authority, define roles and responsibilities, and establish high-level requirements for protecting the university’s information resources. Policies are strategic in nature, specifying the desired security state of the university, but not how to achieve it. There are, as of this writing, two top-level policy documents:

The New School Information Security Policy (PDF) defines the fundamental principles of the New School information security program, establishes categories of information and their protection requirements, and assigns roles and responsibilities for implementing and complying with those requirements. The current version of this policy, Revision 1.0, was approved by the Information Security Steering Committee on November 18, 2011. For convenience, the Data Classifications section of this policy is also available as a separate document.

The New School Information Resource Acceptable Use Policy (PDF) establishes the rules for ethical and acceptable use of information resources at The New School. These rules support the free exchange of ideas among members of the New School community and between the New School community and other communities, while recognizing the responsibilities and limitations of such exchange. The current version of this policy, Revision 1.0, was approved by the Information Security Steering Committee on November 18, 2011.

Compliance

Compliance with these policies is mandatory for all students, faculty, staff, contractors, consultants, temporary staff members, guests, volunteers, and other members of the university community, including those affiliated with third parties, who access or in any way make use of university information or information systems.

The policies contained in the Policy represent baseline, or minimum, requirements that must be met by all offices and departments of the university. As appropriate and necessary, additional policies may be established at the office or department level to codify office-specific or department-specific requirements. These additional policies may supplement, but never reduce, the level of security required by the Policy.

Exceptions

Any department or unit of the university that cannot comply with any portion of this Policy must submit a written exception request to the Director of Information Security for review and disposition. Depending on the level of risk posed by granting the exception, the request may be referred to the Information Security Steering Committee for resolution.

Exception requests must include the scope and duration of the exception, the business reason for the exception, and a committed remediation plan and time frame to achieve compliance. Exception requests must be reviewed and signed off by the Information Owner or Information Trustee of each information resource affected by the exception before they are submitted.

Exceptions will be granted on a time-limited basis, and must be managed according to the university’s established information risk management process.

Detailed requirements, steps, and forms for making and tracking exception requests are described in the information security Procedure for Policy Exception Requests.